New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: How do roles work now #9
Comments
@MVethana , please see if this makes sense:
|
@greenpau Where does the "authp/" come from, is this a set keyword or is it dynamic from the contents of the jwt we are using. This is an example jwt that I am using,
|
@MVethana , it is set when authenticating with auth portal. In your case, you have
|
@MVethana , you obviously need to change the key. More about it here: https://authp.github.io/docs/authorize/token-verification |
Anyway to debug the specific cause of a user authorization failed error, in that case that line has not changed for me from when I switched over from caddy-authorize yet I'm getting errors now |
@MVethana , the |
Specifically debug is giving me |
@MVethana , the handler looks for tokens in the way described here. Do you provide the token in a cookie? bearer? etc.? Based on the above, I will guide you to the relevant command(s). |
@greenpau The setup I have was working with caddy-authorize, |
@greenpau Seems to be a cookie from the organizr docs |
@MVethana , I have a guess about it. Let's try this then.
Please change Just to confirm does the |
@MVethana , with the above ACLs, we will see what is being hit and what type of data is there. Also, please use
Please create a gist with the logs. |
With the acl above this is what I am receiving,
Will run caddy-trace and see what authorize is getting in just a bit |
@MVethana , what at the messages above this one? This just tells me that authorization has failed and authorizer redirects a user with By the way, you could also disable the redirect for the troubleshooting:
That would be the source of the info. What is strange is that you are not seeing "hit" log messages from ACL. Which might mean that the authorization is failing at the token discovery phase. |
With redirect disabled confirmed that verify key and token name are correct, any way to privately send you the gist @greenpau ? |
@MVethana , please send it to greenpau@outlook.com |
Sent |
@MVethana , there is only 1 line with |
@MVethana , here is what I see. The request comes with 2 cookies. I replaced UUID instead of redacting them.
You need to set
Please confirm that you did that. |
Yes I have, can confirm that crypto key verify and crypto key token name are the correct values, the exact same key verify and name was used yesterday working with caddy-authorize and I checked again to confirm nothing had changes and they are both still correct |
@MVethana , confirmed bug with validator. |
@greenpau Any idea how long of an eta for a fix or is it better to revert back to caddy-authorize for now? |
@MVethana , another 30 mins. |
@MVethana , released fix in https://github.com/greenpau/caddy-security/releases/tag/v1.0.2 Please retest and re-open if necessary. Do not use |
@greenpau Still seems to be an issue on my end, tried a couple different things following the gist and still not working, can confirm I am using routes aswell. Let me know what you need to debug this further |
Please post you full config in a gist. Share via email. |
Sent |
@greenpau I've narrowed it down and it makes no sense to me, the config I sent to you does not work with caddy-security on its own, however the moment I add caddy-security & caddy-trace together without even including a "trace tag=" in the route, config works as expected. Is caddy-trace required with caddy-security now? Or is this a bug? |
@greenpau To make sure I am not going crazy, redownloaded caddy, one with just caddy-security, one with caddy-security & caddy-trace, I copied and pasted the config from the gist I sent you last night and am using that with my Only with caddy-trace added does the config work, even though I have no trace tag in the config |
Idk yet. Let's tackle one issue at a time. Add "debug on" above security. Then, so the trace with logs and let's see what is working. |
this could be an issue with the download builds, i.e. unrelated to the security app. |
Just emailed you a gist of the config working with security and trace installed with trace tag="overseerr", let me know what else you need |
@MVethana , side note. Previously when trace was enabled I saw tokenzr cookies appear twice (each of them) in a request. |
Tokenzr? |
@MVethana , disregard the above for now. I looked at the logs without trace and I see ACL hots saying the traffic is allowed. what is not working right now? |
The gist I sent you works as intended, removing the trace tag and removing caddy-trace results in this config not working. |
@MVethana , please create non-working serup. please email me the gists of the following
|
That was it, when downloading caddy from the website with the features selected, downloading trace and security gives, 1.0.2 whereas downloading security standalone provides 1.0.1 |
Caddyserver.com says it is providing version latest but clearly the old one is still cached somehow |
Downloading a different combination of caddy-security and caddy2-filter also results in the site providing 1.0.1 instead of 1.0.2 |
@MVethana , let’s consider this issue closed. Please goto caddy.community forum and ask for help with the Download page. you could also specify version number in the input box next to plugin name when downloading from caddy website. |
Previously utilizing caddy-authorize, this line for roles worked
allow roles User Admin
How would this be implemented in caddy-security, the docs don't seem to be updated yet. The repo's description includes this snippet,
allow roles authp/admin authp/user
, but am unsure how to implement this in my existing Caddyfile, specifically I am using organizr's jwt, https://docs.organizr.app/features/server-authenticationThe text was updated successfully, but these errors were encountered: